Before Certificate Services starts, it enumerates all the keys and certificates that have been issued to the certification authority (CA), even if the keys and the certificates have expired. Certificate Services will not start if any one of these certificates has been removed from the local computer Personal certificate store.

To resolve this issue, verify that the number of certificate thumbprints in the registry is equal to the number of certificates that have been issued to the CA. If any certificates are missing, import the missing certificates into the local computer Personal certificate store. After you have imported the missing certificates, use the certutil -repairstore command to repair the link between the imported certificates and the associated private key store.

To do this, use one of the following methods, depending on which version of the operating system your computer is running.

Method 1: Windows Server 2003

To resolve this issue on a Windows Server 2003-based computer, follow these steps.

Step 1: Look for missing certificates

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756
(http://support.microsoft.com/kb/322756/
)
How to back up and restore the registry in Windows

The certificate thumbprints indicate all the certificates that have been issued to this CA. Every time that a certificate is renewed, a new certificate thumbprint is added to the CaCertHash list in the registry. The number of entries in this list must equal the number of certificates that are issued to the CA and that are listed in the local computer Personal certificate store.

Make a note of the number of certificate thumbprints that the Value data list contains.

Start Command Prompt.

Type the following command, and then press ENTER:

certutil -store

Compare the number of certificates that are listed in the local computer Personal certificate store to the number of certificate thumbprints that are listed in the CaCertHash registry entry. If the numbers are different, go to "Step 2: Import the missing certificates." If the numbers are the same, go to "Step 3: Install the Windows Server 2003 Administration Tools Pack."

Step 2: Import the missing certificates

Click Start, point to All Programs, point to Administrative Tools, and then click Certificates.

The Certificates directory is now added to Microsoft Management Console (MMC).

On the File menu, click Save as, type Certificates in the File name box, and then click Save.

To open Certificates in the future, click Start, point to All Programs, point to Administrative Tools, and then click Certificates.

Expand Certificates, expand Personal, right-click Certificates, point to All Tasks, and then click Import.

On the Welcome page, click Next.

On the File to Import page, type the full path of the certificate file that you want to import in the File name box, and then click Next. Alternatively, click Browse, search for the file, and then click Next.

If the file that you want to
import is a Personal Information Exchange - PKCS #12 (*.PFX) file, you will be prompted for the password. Type the password, and then click Next.

On the Certificate Store page, click Next.

On the Completing the Certificate Import Wizard page, click Finish.

Note The CA always publishes its CA certificates to the %systemroot%\System32\CertSvc\CertEnroll folder. You may find the missing certificates in that folder.

Step 3: Install the Windows Server 2003 Administration Tools Pack

After you import the certificates, you must use the Certutil tool to repair the link between the imported certificates and the associated private key store. The Certutil tool is included in the CA Certificate Tools. The Windows Server 2003 CA Certificate Tools are located in the Windows Server 2003 Administration Tools Pack. If the CA Certificate Tools are not installed on your computer, install them now.

Step 5: Start the Certificate Services service

Method 2: Windows 2000

To resolve this issue on a Windows 2000-based computer, follow these steps.

Step 1: Look for missing certificates

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756
(http://support.microsoft.com/kb/322756/
)
How to back up and restore the registry in Windows

The certificate thumbprints indicate all the certificates that have been issued to this CA. Every time that a certificate is renewed, a new certificate thumbprint is added to the CaCertHash list in the registry. The number of entries in this list must equal the number of certificates that are issued to the CA and that are listed in the local computer Personal certificate store.

Make a note of the number of certificate thumbprints that the Value data list contains.

Start Command Prompt.

Type the following, and then press ENTER:

certutil -store

Compare the number of certificates that are listed in the local computer Personal certificate store to the number of certificate thumbprints that are listed in the CaCertHash registry entry. If the numbers are different, go to "Step 2: Import the missing certificates." If the numbers are the same, go to "Step 3: Install the Windows Server 2003 Administration Tools Pack."

Step 2: Import the missing certificates

Click Start, point to Programs, point to Administrative Tools, and then click Certificates.

The Certificates directory is now added to Microsoft Management Console (MMC).

On the Console menu, click Save as, type Certificates as the file name, and then click Save.

To open Certificates in the future, click Start, point to Programs, point to Administrative Tools, and then click Certificates.

Expand Certificates, expand Personal, right-click Certificates, point to All Tasks, and then click Import.

On the Welcome page, click Next.

On the File to Import page, type the full path of the certificate file that you want to import in the File name box, and then click Next. Alternatively, click Browse, search for the file, and then click Next.

If the file that you want to import is a Personal Information Exchange - PKCS #12 (*.PFX), you will be prompted for the password. Type the password, and then click Next.

On the Certificate Store page, click Next.

On the Completing the Certificate Import Wizard page, click Finish.

Note The CA always publishes its CA certificates to the %systemroot%\System32\CertSvc\CertEnroll folder. You may find the missing certificates in that folder.

Step 3: Install the Windows Server 2003 Certutil tools

After you import the certificates, you must use the Windows Server 2003 CA Certificate Tools to repair the link between the imported certificates and the associated private key store.

The Windows Server 2003 versions of Certutil.exe and Certreq.exe are included in the Windows Server 2003 Administration Tools Pack. To install the tools on a Windows 2000-based computer, you must first install the Windows Server 2003 Administration Tools Pack on a computer that is running Windows Server 2003 or Microsoft Windows XP with Service Pack 1 (SP1) or with a later service pack. The Windows Server 2003 Administration Tools Pack cannot be installed directly on a Windows 2000-based computer.

Important After you copy the Windows Server 2003 CA Certificate Tools to the Windows 2000-based computer, two versions of the Certutil tool will reside on the Windows 2000-based computer. Do not remove the Windows 2000 Certutil tool. Other programs depend on the Windows 2000 version of this tool. For example, the Certificates MMC snap-in requires the Windows 2000 Certutil tool. Additionally, do not register the Windows Server 2003 Certcli.dll and Certadm.dll files on the
Windows 2000-based computer.

To use the Windows Server 2003 CA Certificate Tools on a Windows 2000-based computer, follow these steps:

In the Components list, click to clear the Certificate Services check box, click Next, and then click Finish.

Install Certificate Services. To do this, follow these steps:

Click Add/Remove Windows Components.

In the Components list, click to select the Certificate Services check box, click Next, and then click Finish.

All the users, the computers, or the services with certificates that were issued by the CA that has stopped working correctly must enroll for certificates from the new CA.

Note If this issue occurs on the Root CA of the public key infrastructure (PKI) hierarchy and if the issue cannot be repaired, you will have to replace the whole PKI hierarchy.
For additional information about how to remove the PKI hierarchy, click the following article number to view the article in the Microsoft Knowledge Base:

889250
(http://support.microsoft.com/kb/889250/
)
How to decommission a Windows enterprise certification authority and how to remove all related objects from Windows Server 2003 and from Windows 2000 Server